NIS2 and cybersecurity for French SMEs in 2026
NIS2 in France for SMEs: who may be in scope, essential and important entities, cyber governance, finance risks and a practical readiness checklist.
Expert note: This article was written by our chartered accountancy firm. Information is current as of 2026. For a personalised review of your situation, contact us.
NIS2 expands the European cybersecurity framework. For SMEs and mid-caps, the issue is not only IT. A cyber incident can stop invoicing, payroll, payments, orders, customer data and business continuity. Even when a company is not directly in scope, customers, insurers, banks or large contractors may still require evidence.
This article connects with our resources on compliance audits, organisational audit, DPO requirements, French e-invoicing and SME financial dashboards.
Executive summary#
ANSSI describes NIS2 as an unprecedented expansion of cybersecurity regulation. Since 17 March 2026, ANSSI has made the ReCyF, Référentiel Cyber France, available as a working document listing recommended measures to meet NIS2 security objectives. It is not mandatory by default at this stage, but it is useful for future in-scope entities.
| Question | Careful 2026 answer |
|---|---|
| Are all SMEs in scope? | No. Scope depends on sector, size and special cases. |
| Essential or important entity? | NIS2 distinguishes two categories with proportionate requirements. |
| Are thresholds enough? | No. Activity-specific cases can apply. |
| Should companies wait? | No. Customers and insurers already ask for cyber evidence. |
| Who owns it? | IT, CEO, CFO, legal and critical providers together. |
Freshness note: updated on 3 May 2026. Scope should be confirmed against final French transposition and current ANSSI guidance.
Who may be concerned?#
NIS2 targets sectors considered critical or important for the economy and society. ANSSI distinguishes future essential and important entities. MonEspaceNIS2 guidance indicates, as a general rule and subject to exceptions, that essential entities are those in highly critical sectors and meeting size thresholds such as more than 250 employees or turnover above EUR 50m.
Management should work step by step:
- Identify the exact sector.
- Check entity and group size.
- Look for special inclusion cases.
- Review contractual cybersecurity duties.
- Document the conclusion, even if the company is out of scope.
The underestimated risk: finance-system dependency#
An SME may survive a few hours without a marketing website. It survives much less comfortably without payroll, banking, invoicing, ERP, point of sale, customer files or accounting evidence. Cybersecurity is therefore a finance issue.
| Critical asset | Incident consequence |
|---|---|
| Payroll software | Late payslips, DSN filings and employee tensions |
| Invoicing | Cash blockage and customer disputes |
| Online banking | Payment fraud risk |
| ERP or POS | Sales interruption and inventory errors |
| Accounting data | Delayed close or audit |
Our chartered accountant view: useful cyber mapping starts with cash-generating and statutory processes. The real question is how long the business can operate without invoicing, paying and filing.
NIS2 readiness checklist#
- map critical systems;
- list providers, admin rights and cloud contracts;
- enable MFA on banking, email, payroll, accounting and ERP;
- segregate rights by function;
- test backups, not only schedule them;
- document an incident procedure;
- include cyber risk in cash planning;
- review cyber-insurance clauses and exclusions.
SMEs can connect this work to digital finance transformation, outsourced CFO support and French accounting services. Tech companies should also review our startups and tech page. Power BI can track critical access, incidents and action plans.
Finance-led NIS2 preparation#
Finance leaders should not wait for a formal in-scope notification before improving resilience. A pragmatic 90-day plan starts with payment security and business continuity. First, review all people who can create, approve or release payments. Second, verify that payroll, invoicing, accounting and banking tools have multi-factor authentication and that admin accounts are limited. Third, test whether accounting records and invoices can be restored from backups. Fourth, run a tabletop exercise: if the finance mailbox is compromised on a payroll week, who freezes payments, who contacts the bank, who informs employees and who communicates with clients?
The same work improves due diligence. Investors, lenders and large customers increasingly ask about cybersecurity maturity. A concise file with system mapping, access review, backup tests, incident procedure, insurance review and supplier list gives management a credible answer. It also helps the accountant understand where accounting evidence is stored and how quickly it can be recovered after an incident.
Supplier and subcontractor angle#
Many SMEs will feel NIS2 through contracts before they feel it through direct supervision. A software vendor, logistics provider, finance outsourcer or industrial subcontractor may be asked by a regulated customer to prove basic cyber hygiene. This is why the decision cannot be left only to IT. Sales, legal and finance need a shared response pack with certifications, policies, incident contacts and evidence of controls.
2026 watch points#
- Follow French transposition and ANSSI updates.
- Large customers may push NIS2-style requirements to suppliers.
- Untested backups are false comfort.
- CEO fraud and payment fraud remain major financial risks.
- Cyber incidents belong in cash and continuity scenarios.
Frequently asked questions
Do all French SMEs have to register under NIS2?+
No. Scope depends on sector, size and specific cases. But many SMEs will need cyber evidence for clients or insurers.</details>
What is the difference between essential and important entities?+
NIS2 distinguishes categories by criticality and size, with proportionate requirements. Detailed analysis must follow the directive and French transposition.</details>
Is the CFO concerned?+
Yes. Payroll, invoicing, banking, ERP, cash and accounting data are critical assets. Cyber risk belongs in internal control.</details>
What should we do first?+
Enable MFA on critical access, test backups and map the applications that would stop operations if unavailable.</details>
Is ReCyF mandatory?+
ANSSI presents ReCyF as a working document and not mandatory by default at this stage. It remains a useful reference for NIS2 preparation.</details>
Article written by Samuel HAYOT
Chartered Accountant, registered with the Institute of Chartered Accountants.
Regulated French accounting and audit firm based in Paris 8, built to support companies across France with a digital and decision-oriented approach.
Sources
Official and operational sources cited for this page.
This topic is part of our service Finance transformation | Automation & dashboards
Need a quote or personalised advice?
Our accountancy firm supports you through all your steps. Get a free quote to review your situation and receive a bespoke fee proposal, or contact us directly.